DomainKeys Identified Mail (DKIM) uses public-key cryptography to sign email messages. The private key is kept secret on the sending mail server, while the corresponding public key must be made publicly available for receiving servers to use for verification. The standard mechanism for publishing this public key is within a DNS TXT (Text) record. The record is created at a specific hostname, which includes a "selector" and the domainkey subdomain (e.g., selector.domainkey.example.com), allowing mail receivers to query DNS, retrieve the key, and validate the email's signature.

A. AAAA record: Incorrect. This record maps a hostname to an IPv6 address and is used for network routing, not for storing cryptographic keys.

B. PTR record: Incorrect. This record is used for reverse DNS lookups, mapping an IP address back to a hostname, primarily for verification and logging.

D. MX record: Incorrect. This record specifies the mail exchange servers responsible for receiving email for a domain; it is fundamental to email routing.

1. Cisco

"AsyncOS 14.0 for Email Security Configuration Guide - GD (General Deployment)": In the chapter "Configuring DomainKeys Identified Mail (DKIM) Signing

" the section "Publishing the Public Key to DNS" states

"After you generate the public-private key pair

you must publish the public key to a publicly-accessible DNS server. You publish the public key by creating a TXT record for the domain."

2. Cisco

"Email Authentication Best Practices: SPF

DKIM

and DMARC": This document explains

"The public key is published in DNS as a TXT record. When a receiving mail server gets an email from your domain

it will perform a DNS lookup to retrieve the public key TXT record."

3. Internet Engineering Task Force (IETF)

RFC 6376

"DomainKeys Identified Mail (DKIM) Signatures": The official standard for DKIM. Section 3.6.2.1

"Record Syntax

" specifies

"The public key is stored in a TXT Resource Record (RR) in the DNS." This is the foundational protocol document.